SUN MICROSYSTEMS SECURITY BULLETIN: #00116, 26 May 92
This information is only to be used for the purpose of alerting
customers to problems. Any other use or re-broadcast of this
information without the express written consent of Sun Microsystems
shall be prohibited.
Sun expressly disclaims all liability for any misuse of this information
by any third party.
---------------------------------------------------------------------------
All patches listed are available through your local Sun answer centers
worldwide as well as through anonymous ftp: in the US, ftp to ftp.uu.net
and obtain the patch from the /systems/sun/sun-dist directory; in Europe,
ftp to mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes directory.
Note that Sun does not have direct access to mcsun.eu.net and must request
that patches be copied from ftp.uu.net to mcsun.eu.net. Therefore, there
may be a time lag before patches appear on mcsun.eu.net.
Please refer to the BugId and PatchId when requesting patches from Sun
answer centers.
----------------------------------------------------------------------------
BULLETIN TOPICS
I. New Patches
A. 100482-02, SunOS 4.1.x: ypserv and ypxfrd will send maps to anyone
B. 100630-01, SunOS 4.1.x: "LD_" environment variables can be used to
exploit login/su, International version
II. Upgraded Patches
A. 100377-04, SunOS 4.1.x: "LD_" environment variables can be used to
exploit sendmail
III. Program wrapper suggested if patches 100630-01, 100631-01, 100377-04
are not immediately available.
==============================================================================
NEW PATCH INFORMATION
Sun Patch ID: 100482-02
Sun Bug IDs: 1036869, 1039839, 1082319, 1082320, 1080353
SunOS release: 4.1, 4.1.1, 4.1.2
Synopsis: This patch fixes several problems with NIS:
1. Bug 1036869 - ypserv will send maps to anyone who can guess the
domainame
2. Bug 1039839 - DNS used in conjunction with NIS may generate
inaccurate syslog messages to the console.
3. Bug 1082319 - ypserv will send maps to anyone via the portmapper
4. Bug 1082320 - ypxfrd will send maps to anyone. Ypxfrd does not
check whether the person transferring the map is root on his/her
machine, when the map is ``secure''. As a consequence, any user
can get the password map if the NIS master is running ypxfrd.
5. Bug 1080353 - whenever a primary name server downloads an 'A'
record to a secondary system and this 'A' record contains more
than 36 IP addresses, ypserv on the secondary system will core dump.
Please note that the /var/yp/securenets configuration file that is provided
in this patch does not support blank lines.
Checksum of compressed tarfile 100482-02.tar.Z on ftp.uu.net = 53416 284
Sun Microsystems would like to acknowledge the following people for the
permission to use their source modifications in the above patch:
Alain Brossard, Ecole Polytechnique Federale de Lausanne, Suisse
Richard Watterson and Daniel Trinkle, Purdue University, IN
Peter Lamb, Swiss Federal Institute of Technology
In addition, the following people provided valuable assistance:
Casper H.S. Dik, University of Amsterdam, The Netherlands
Dan Kegel, Jet Propulsion Laboratory, NASA
Sun Patch ID: 100630-01
Sun Bug IDs: 1085851
SunOS release: 4.1, 4.1.1, 4.1.2
Synopsis: "LD_" environment variables can be used to exploit login/su
Problem Description: a dynamically-linked program that is invoked by
a setuid/setgid program has access to the caller's environmental
variables if the setuid/setgid program sets the real and effective
UIDs to be equal and the real and effective GIDs to be equal before the
dynamically-linked program is executed. A vulnerability exists if the
UIDs and GIDs are not equal to those of the user that invoked the
setuid/setgid program.
Note that this patch contains the international version of /bin/login
that users who are not using the US Encryption Kit need to install.
Patch 100631-01 contains the domestic version of /bin/login. /usr/bin/su
and /usr/5bin/su from this international patch are suitable for
sites that use the US Encryption Kit. Export regulations prohibit
putting 100631-01 on anonymous ftp sites. Please contact your Answer
Center for 100631-01.
Please refer to the section below entitled "PROGRAM WRAPPER" for
additional information.
Checksum of compressed tarfile 100630-01.tar.Z on ftp.uu.net = 36269 39
==============================================================================
UPGRADED PATCH INFORMATION
Sun Patch ID: 100377-04
Sun Bug IDs: 1030087, 1036159, 1041284, 1056203, 1068637, 1085853,
SunOS release: 4.1, 4.1.1, 4.1.2
Synopsis: This patch combines 6 fixes and obsoletes Patch 100099-01:
1. Bug 1030087 - sendmail yp aliasing does not work with non-Sun YP masters
2. Bug 1036159 - a user can exploit sendmail to run programs with root's
group privileges
3. Bug 1041284 - sendmail -t fails when /var/spool/mail is nfs mounted
from mailhost
4. Bug 1056203 - a system that runs sendmail.mx will connect back to
itself when it connects to a site that has MX records
5. Bug 1068637 - sendmail ignores the .forward file of users with uid
values greater than 32767
6. Bug 1085853 - security can be subverted by the use of "LD_" environment
variables.
Problem Description: Bug 1085853 for sendmail is the same problem discussed
above for bug 1085851, Patch 100630-01 for login/su. Please refer to
the description for Patch 100630-01 for more information.
Checksum of compressed tarfile 100377-04.tar.Z on ftp.uu.net = 14692 311
==============================================================================
PROGRAM WRAPPER
Sun has been informed by several computer emergency response teams that
the vulnerabilities stated in BugIds 1085851 and 1085853 are known and
currently being exploited by computer crackers. If your site is
concerned about the security of your SunOS systems, it is important that
you install the applicable patches for BugIds 1085851 and 1085853 as
soon as possible.
The only applications that are known to have this problem in SunOS 4.1.x
are login, su, and sendmail. However, custom or third party setuid/setgid
applications may also be vulnerable. Please check with your software
supplier, a response team, or with me if you have doubts.
If you do not have ready access to the patches for these bugs, Sun
recommends that you wrap your login, su, and sendmail executables with
the following C program, provided by Wietse Venema, Eindhoven University
of Technology, The Netherlands:
/*----------------------------------------------------------------*/
/*
* Remove "LD_" variables from user environment before calling an executable
*
* This code is specific to /bin/login, but can be easily modified
* to wrap other programs by modifying "COMMAND".
*/
#define COMMAND "/bin/login+"
main(argc,argv)
int argc;
char **argv;
{
fixenv();
execv(COMMAND,argv);
perror(COMMAND);
exit(1);
}
fixenv()
{
extern char **environ;
char **cpp;
char **xpp;
char *cp;
for (cpp = environ; cp = *cpp; cpp++) {
while (*cp++ == 'L' && *cp++ == 'D' && *cp == '_') {
for (xpp = cpp; xpp[0] = xpp[1]; xpp++)
/* void */ ;
if ((cp = *cpp) == 0)
return;
}
}
}
/*----------------------------------------------------------------*/
The example code above is specific to /bin/login.
Install as root:
Move the old /bin/login to /bin/login+ and modify permissions:
mv /bin/login /bin/login+
chmod 0750 /bin/login+
Put the code above in a C program file and compile. For this example
assume the file is /tmp/login.c:
cd /tmp
make login
Move the wrapper program into /bin/login and modify permissions and ownership:
mv /tmp/login /bin/login
chown root.staff /bin/login
chmod 4711 /bin/login
The C code above can be easily modified for use with /usr/lib/sendmail,
/usr/bin/su, and /usr/5bin/su. Change the value of "COMMAND" to the
new, full path name of the command that you want to wrap after you have
moved it. For example, if you moved /usr/lib/sendmail to /usr/lib/sendmail+
(using the command "mv /usr/lib/sendmail /usr/lib/sendmail+"), change
the macro definition of "COMMAND" in the C program to:
#define COMMAND "/usr/lib/sendmail+"
Then perform the analogous steps above to compile and install your sendmail
wrapper. Note that "COMMAND" should always be an absolute pathname for
security purposes. The code should not be modified to accept "COMMAND"
as an argument using argv[].
Sun patches for these bugs are being tested for Sun SHIELD ARM. Please
contact your Answer Center or me for availability. It is highly recommended
that the wrapper program be installed around your applicable ARM versions
of the affected programs.
Sun Microsystems would like to acknowledge Wietse Venema and the CERT,
CIAC, and PCERT computer security emergency response teams for their
valuable assistance in dealing with this vulnerability.
===========================================================================
Sun Microsystems recommends that all customers concerned with the security
of their SunOS systems obtain and load the patches that are applicable to
their system(s).
Kenneth L. Pon
Software Security Coordinator
Sun Microsystems, Inc.